Prioritizing the deployment of the April security bulletins

Prioritizing the deployment of the April security bulletins

We just released eight security bulletins, five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating, and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then by bulletin number. We hope it helps you choose an order of bulletins to start your prioritization and testing if you can’t deploy them all out immediately.

XLS file attached to email or posted on a website. These vulnerabilities are critical only on Office 2000. Other versions of Office force user to click through a prompt, reducing severity to Important.

Yes, exploit tools are publicly available for CVE-2009-0550 (SMBRelay). However, this CVE is Important, not Critical.

The attack vector for the Critical CVE is a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution in the context of the user running the application. Internet Explorer does not use WinHTTP.

We would be happy to answer any questions you have about these bulletins. You can contact us at switech _AT_ microsoft.com. We will also be on the monthly MSRC webcast that describes the bulletins and answers questions live "on air". You can find instructions to attend that webcast on the MSRC blog.